Synopsis: Fixes argument passing security problems with /usr/bin/vacation. NetBSD versions: 1.0, 1.1, 1.2, 1.2.1, and NetBSD-current prior to 19970828. Thanks to: David Sacerdote, SNI. Reported by: SNI advisory. Index: vacation.c =================================================================== RCS file: /cvsroot/src/usr.bin/vacation/vacation.c,v retrieving revision 1.8 retrieving revision 1.9 diff -c -r1.8 -r1.9 *** vacation.c 1997/05/17 20:24:26 1.8 --- vacation.c 1997/08/28 08:13:41 1.9 *************** *** 1,4 **** ! /* $NetBSD: vacation.c,v 1.8 1997/05/17 20:24:26 pk Exp $ */ /* * Copyright (c) 1983, 1987, 1993 --- 1,4 ---- ! /* $NetBSD: vacation.c,v 1.9 1997/08/28 08:13:41 mrg Exp $ */ /* * Copyright (c) 1983, 1987, 1993 *************** *** 43,49 **** #if 0 static char sccsid[] = "@(#)vacation.c 8.2 (Berkeley) 1/26/94"; #endif ! static char rcsid[] = "$NetBSD: vacation.c,v 1.8 1997/05/17 20:24:26 pk Exp $"; #endif /* not lint */ /* --- 43,49 ---- #if 0 static char sccsid[] = "@(#)vacation.c 8.2 (Berkeley) 1/26/94"; #endif ! static char rcsid[] = "$NetBSD: vacation.c,v 1.9 1997/08/28 08:13:41 mrg Exp $"; #endif /* not lint */ /* *************** *** 424,432 **** close(pvect[0]); close(pvect[1]); fclose(mfp); ! execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL); syslog(LOG_ERR, "vacation: can't exec %s: %s", ! _PATH_SENDMAIL, strerror(errno)); exit(1); } close(pvect[0]); --- 424,433 ---- close(pvect[0]); close(pvect[1]); fclose(mfp); ! execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from, ! NULL); syslog(LOG_ERR, "vacation: can't exec %s: %s", ! _PATH_SENDMAIL, strerror(errno)); exit(1); } close(pvect[0]);